Main mode scenario 3

Certificate authority (CA) certificates are associated with the identities of remote ISAKMP servers. When RSA signature mode authentication is being performed, the ISAKMP responder might send one or more certificate requests to the ISAKMP initiator to guide the initiator in selecting a certificate signed by an acceptable CA. Unfortunately, during a Main mode exchange the responding ISAKMP server must send a certificate request before learning the identity of the initiating ISAKMP server.

The z/OS® IKE daemon handles this limitation as follows:
  1. A key proposal is selected as described in Scenario 1.
  2. If the selected key proposal indicates RSA signature mode authentication, then the IKE daemon includes one or more certificate requests in message 4.
    • If a tentative KeyExchangeRule is in effect and the KeyExchangeRule's RemoteSecurityEndpoint includes one or more CaLabels, a certificate request corresponding to each CaLabel is included in message 4.
    • If the RemoteSecurityEndpoint does not include a CaLabel, a certificate request corresponding to each SupportedCertAuth is included in message 4.
    • If there are no applicable CaLabels or SupportedCertAuth statements configured, an empty certificate request is included in message 4, indicating that the initiator can use a certificate signed by any CA.
Parent topic: ISAKMP Main mode limitations